Medibank also failed to restrain the OAIC from making any determinations, which could include a requirement the insurance giant take steps to ensure appropriate procedures are in place.

If its investigation uncovers “serious and/or repeated interferences”, with Australia’s privacy laws, the OAIC also has the power to seek civil penalties of up to $2.2 million for each contravention.

In a recent ASX statement, Medibank said it expects its cyber crime costs to be between $30 million and $35 million in this financial year “for further IT security uplifts and legal and other costs related to regulatory investigations and litigation”.

In addition to the now Federal Court-approved OAIC investigation, Medibank is also facing several class actions and a $250 million penalty levied by the Australian Prudential Regulation Authority.

Maurice Blackburn principal lawyer Andrew Watson said the firm was carefully reviewing the breach to investigate whether Medibank’s customers were entitled to compensation.

“As custodians of customer’s personal health information, Medibank has a heightened responsibility to put in place greater safeguards to secure the personal and health claim information it collected from its customers, including appropriate security and monitoring systems to protect against unauthorised access or disclosure of that data,” Mr Watson said.

At the time of the hack, a group known as REvil demanded $15.6 million and threatened to leak the information online.

VIEW ALL

Late last month, three federal ministers said Russian man Aleksandr Ermakov was responsible for the attack and would be sanctioning him under Australia’s new cyber laws.

The Federal Court decision follows OAIC’s recent announcement it had opened an investigation into HWL Ebsworth’s hack.